I get asked quite often to take a look at the ip filtering rules that people have. One of the interesting things I noticed is that in many cases where people run a public DNS, they have an ip filter installed and use state keeping for DNS requests. I believe that the filter is a good idea, but the state keeping is not in this specific case.

Lets take a look at what happens in this case:

1. Client sents a DNS request in the form of a single UDP packet
2. IP filter sees the UDP packet and creates a state table entry.
3. DNS sends a reply in the form of a single UDP package
4. End of communications. The IP filter is left with a useless state table entry that will only dissapear when it times out.

Since this is supposedly a public DNS, everyone is allowed to send requests, so port 53 should be open to all. The state keeping is not offerign any additional protection here, in fact, it makes the setup more vulnerable to DOS attacks that try to exhaust the state table.

In other words, this is a bad idea that makes your DNS more vulnerable instead of less.

What you do prevent with it (given no other rules allow it) is that the DNS sends out packets from port 53 without there being an incomming request first.

When looking at TCP based services, things are quite a bit different. First of all, you do offer additional protection with stte keeping on incomming requests. Only syn packets will get through initially to establish a connection, and only after that other tcp packets can get through. Communications between client and server usually involve a sequence of packets, so the state table entry actually gets used more then once. On top of that, it is usually easy to tell when a TCP connection finishes without having to wait for it to time out.

State keeping for outgoing communications, both UDP and TCP is usefull.